New Claude-Based Malware Targets Crypto Developers via NPM Packages
Severity: High (Score: 73.2)
Sources: Cybersecuritynews, Mexc
Summary
A malicious npm package named @validate-sdk/v2 was introduced into an open-source crypto trading project, allowing hackers to access users' crypto wallets and funds. This breach, discovered by ReversingLabs, is attributed to the North Korean state-sponsored group Famous Chollima, which has been deploying malicious npm packages since September 2025. The attack exploits AI coding assistants by using a two-layer strategy: first, 'bait' packages without malicious code, followed by second-layer packages that contain the actual malware. The PromptMink malware, which has evolved from a simple infostealer to stealthy Rust payloads, seeks out crypto-related configuration files and steals sensitive information. This incident is part of a broader trend of malware targeting crypto developers, with another recent attack named GhostClaw affecting 178 developers. The PromptMink campaign is ongoing, with new packages being released as older ones are taken down. Key Points: • PromptMink malware targets crypto developers through malicious npm packages. • The attack exploits AI coding assistants, using a two-layer strategy for deception. • Famous Chollima, a North Korean state-sponsored group, is behind the campaign.